Biometrics on BW for Chrome not working requesting PERMANENT unlock of BW for Windows

[oeloo]

Steps To Reproduce

1. Activate Windows Hello on Bitwarden Chrome extension
2. BW for Windows is not currently unlocked
3. Open Bitwarden Vault with Windows Hello

Expected Result

Bitwarden Chrome extension should open you vault so that you can enter your credentials on the websites you want.

Actual Result

You get the error: "User locked or logged out Please unlock this user in the desktop application and try again."

Screenshots or Videos

Additional Context

If BT for Windows is unlocked when using biometrics on BW for Chrome, you can unlock BW for Chrome extension. BUT this completely defeats the purpose of BW for Chrome extension. Furthermore if you have to keep unlock BW for Windows to use BW for Chrome, it is a major security issue.

Operating System

Windows

Operating System Version

11

Web Browser

Chrome

Browser Version

Version 125.0.6422.142 (Official Build) (64-bit)

Build Version

Extension=v2024.5.2 Windows client=2024.5.0

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[alex-ioma]

I concur this is a major issues. Having the need to unlock the BW desktop client to be able to use Biometric (after the app and the browser extension have been already connected) is a major usability impairment which defeats the whole purpose of having a browser extension.

Additionally I add that the same issue also happens with Bitwarden Chrome extensions on MacOS. I'm not sure if a new issue is needed since the issue is exactly the same as the one reported above.

Please advise.

[steeviebops]

I seem to be having the same issue on Firefox on Windows 11. In my case, clicking the "Unlock with Biometrics" option in the browser extension causes "Awaiting confirmation from desktop" to flash briefly but the Windows Hello prompt never appears. It will only work if I unlock the desktop client first.

[oeloo]

Your issue is similar. The problem seems to be due to the BW desktop. This is a big issue: not only does it break the user's process of using BW (no Windows Hello), but it is also a major security issue (force having BW unlocked to do your daily work).

[alroberts]

I'm so damn sick of this issue. Guys.. just fricking fix this already.. it's been months and it's just such a damn annoyance.

This situation (or similar) has been reported so many times.. Why is there no real acknowledgement of the issue? I like BitWarden but why the hell do I pay for it if this can't be fixed after a year already?

[alex-ioma]

@kspearrin: perhaps, it might be worth involving a direct member of BW team to raise awareness of this issue?

Although I might grasp the complexity of the issue - having to work with OS-specific API / security restrictions - this has a major impact on browser extension usability and overall BW customer experience.

[alex-ioma]

@oeloo I would also adjust the issue Title as this thread might be used as a general issue that encompass more OSs and Browsers (the root cause might actually be the same).

[oeloo]

@alex-ioma This should be the role of the BW dev team community. Given the severity of this issue, it is not acceptable that the BW dev team community does not provide feedback (I am not even talking about a solution here). For example, as you suggest, they should have at least targeted this bug appropriately.

[MGibson1]

Hi all, I promise we're aware and looking into flow improvements. I've outlined our current plan below, and feedback is welcome. This change is actually a short-term response to a detected security issue where biometric authentication from the browser could cause user keys to persist in desktop memory for an extended period.

The method we have of preventing long-lasting retention of sensitive data is by forcing the application to crash and restart, which we internally call process reload. It's very destructive, though, and needs to be handled by the Desktop client directly, not whenever the browser asks for a key.

The short term "solution" here was to allow the Desktop to handle user sessions as it was designed to do by needing to be unlocked prior to handling sensitive data. That way, process reload will ensure the data is disposed of automatically when the user locks or logs out of the Desktop client.

I totally understand that this is a frustrating user flow change, but it was done to ensure that sensitive data is managed appropriately.

To clarify, you do not need to keep the Desktop application unlocked the entire time you use the browser, it only needs to be unlocked when you do the key exchange. I realize that that may mean unlocking twice, for now. In light of that, does anyone see a security vulnerability? I take those very seriously, but I believe this actually minimizes risk.

Planned approach

The planned long-term approach for browser biometric authentication right now is to unlock the desktop client at the same time as the browser client when performing biometric authentication with the browser. That way, the user's session is managed appropriately in both the desktop and the browser. It also removes the need to separately authenticate in each client.

[alroberts]

@MGibson1 - Can you provide a timeline or expectation of when this is going to be resolved? The announcing of Apple's new Password Manager has me on the fence as to whether I'll stick with BitWarden upon that release.

I value security.. it's my #1 priority... but at the same time, deep integration and ease-of-use is very important.

[kapitainsky]

I totally understand that this is a frustrating user flow change, but it was done to ensure that sensitive data is managed appropriately.

Thank you for detailed explanation. But how it is done in Safari browser where all works - I can unlock BW without unlocking desktop client.

[Overblown8831]

hello, this also happens with our Edge browser. is there a schedule so that it is more enjoyable to use Bitwarden again and you don't have to unlock twice?

It becomes more of a risk if it becomes too complicated for users and they go back to using simple passwords or sticking them under the keyboard.

[oeloo]

To clarify, you do not need to keep the Desktop application unlocked the entire time you use the browser, it only needs to be unlocked when you do the key exchange. I realize that that may mean unlocking twice, for now. In light of that, does anyone see a security vulnerability? I take those very seriously, but I believe this actually minimizes risk.

This workflow process, even temporarily, is not acceptable for users: not only is it cumbersome to explain this weird workflow to many users (it looks so weird), but even if they start doing it, it is a pain to do and a time lost. What about the security risk associated with the duration of two leases? In BW, you cannot even log out of both simultaneously! This urgent change clearly risks the security of BW users. Destroying users' workflows is probably worse for security than the technical security hole you discovered: it might be exploited by a few very high-tech hackers, while leaving one of the clients unlocked is a security hole anyone can exploit! Please provide a way for users to accept this small technical security hole to keep their normal BW workflow while you work on an urgent fix that does not break BW users' workflow.

Planned approach

The planned long-term approach for browser biometric authentication right now is to unlock the desktop client at the same time as the browser client when performing biometric authentication with the browser. That way, the user's session is managed appropriately in both the desktop and the browser. It also removes the need to separately authenticate in each client.

1Password has been using this approach since at least 2019: unlocking the 1Password desktop application also unlocks the 1Password Chrome add-on (and vice-versa). If 1Password had discovered this security hole before 2019 and fixed it in 2019, I don't understand why BW only recognized it in 2024. On 1Password, locking vault from one of 2 clients, locks both since 2019. This is very important for security; unfortunately, in BW in 2024, you can still not log out from the Chrome BW addon and desktop client at once.

[vision2003]

Security is of course very important, but this change renders unlocking via Windows Hello useless to me, as it's faster to type in the master password and be done with it. Not to mention that I migrated from LastPass to BitWarden (and am also paying $10/year) solely because of the Windows Hello feature.

[cpainchaud]

I hope the "long term" plan is for next week because it's damn annoying to open Bitwarden app before I can log in anywhere.

If at least the browser plugin could make the BW app unminimize/popup that would be of great help already.

thank you

[0ldb34r]

I can't believe how much everyone complains that the Bitwarden team has discovered a vulnerability and is trying to fix it, in their own interests as well as in those of their users, just because it inconveniences them a little for an indeterminate period of time. When proprietary companies don't do their job when it comes to keeping their users data safe, it often ends in scandal and instantly brings the company into disrepute - witness LastPass, which was the target of password thefts last summer. It seems to me that Bitwarden has every reason to take precautions, especially as flaws of this type are not necessarily exploited as everyone thinks. A vulnerability can be misused, sometimes in ways we hadn't even considered, and when it is, it's often a real mess. Yes, it changes our habits a little, but between risking having my passwords exposed (even if the risk was slim) and having to click twice instead of once when I unlock my computer, the choice is quickly made. I'm aware that this may affect certain uses more, but what a lack of respect when everyone comes whining with their little threat to leave the service, with no respect for the ethics of the developpers behind it. My only personal regret is that I searched for 3 days, thinking that the problem was with my configuration and not with Bitwarden. Luckily I found this post to help me understand: a little message when opening BitWarden would have made things easier for a lot of people, I think.

[cpainchaud]

@0ldb34r I believe you should put yourself in the shoes of business users where IT team has to manage user discontent : not only IT support was not aware of this very impacting and tickets are piling but they are now in a situation where they have to explain non IT users that they need to open BW desktop app to unlock then open browser extension to unlock and do that X amount of time a day. Yes it's good for security but now they are explaining that the real fix will be "long term" and that in the meantime users should just go with it. The fix should be very short plan or users will want extra long auto lock delay to avoid the situation -> less security.

[0ldb34r]

@cpainchaud Except that there are other ways of doing this, which are just as secure: using a PIN code while waiting for the problem to be dealt with, for example. I fully understand that this is an embarrassment and a difficulty for your teams, but you seem to be putting aside what is required of a password manager above all else: ensuring the full and complete security of the data it stores. If the solution were simple, Bitwarden wouldn't take much pleasure in pointing out that the solution will be found in the long term! Personally, I won't put my passwords with Dashlane and I won't put them with LastPass, who are completely opaque about their policy in the event of a breach. But it's up to you to make the switch. When you accept a deal with a company, you accept the ethics it upholds: in this case, putting vulnerabilities ahead of optimizing the user experience at all costs. This is consistent with an OpenSource model. The real question is: do you think that a bunch of you ranting and raving is going to speed up the handling of this security flaw? Or are you doing it just to let people know you're unhappy? If the latter, Bitwarden already knows about it...

[cpainchaud]

@0ldb34r you do underestimate users stupidity : if it's too inconvenient, they will go back to post-it notes or whatever software they find on Google. That's real life.

I am here to make sure that they (BW) understand that it's not something they can wait for next year.

[oeloo]

@0ldb34r This security issue was already discovered by 1Password in 2019 and solved. So we could have expected this to be found by BW before June 2024. I do appreciate Bitwarden, I do appreciate opensource and have full respect for the people making it live every day (and also I am a paying BW customer), but this problem is 'urgent' not because of due diligence but because of lack of diligence from BW on security. This is an issue discovered and solved by 1password in 2019.

Then we need to talk about the urgent solution brought by the BW team: it is questionable to force users into such a weird process. This process is a security flaw that is more dangerous than the initial problem: initially, the hacker needed high computer knowledge to use the issue, whereas now the potential hacker does not need any computer skill since many user vaults will have to stay fully unlocked for much much longer.

[abinthomas744]

Can we please have a rough estimate of how long will it take for this issue to be resolved?

[masterflitzer]

I can't believe how much everyone complains that the Bitwarden team has discovered a vulnerability and is trying to fix it...

i don't like the lack of communication about this, of course security fixes should land fast, but then notify me in the app with a little info icon that the functionality changes, i wasted time by trying to figure out what happened and finding this issue

[0ldb34r]

@masterflitzer I only regret that there's so much obvious anger towards the Bitwarden team on this subject. As for the principle of putting a message on the extension or app to explain the bug, I totally agree, since I've been in this situation for 3 days, trying to find out where the configuration problem was.

[ejain]

Noticed this behavior on both Windows and macOS, assumed it was just another bug...